While other MediaPost newsletters and articles remain free to all ... our new Research Intelligencer service is reserved for paid subscribers ...

Subscribe today to gain access to the every Research Intelligencer article we publish as well as the exclusive daily newsletter, full access to The MediaPost Cases, first-look research and daily insights from Joe Mandese, Editor in Chief.

FTC Finalizes Privacy Settlement With Turn

The Federal Trade Commission has finalized a settlement
with ad company Turn over allegations that it deceived consumers by tracking them for ad purposes after they took steps to avoid data collection.

The settlement prohibits Turn from
misrepresenting its online data-gathering practices, and requires the company to offer an effective opt-out mechanism. Turn also agreed to put a link on its home page to information about data
collection and targeted advertising.

The company didn't admit to wrongdoing as part of the deal.

The agency said today that it received letters from two commenters, both of whom
appeared to have said that Turn should have been subjected to additional sanctions. The FTC told both people that it lacks authority to obtain civil penalties the first time that companies allegedly
engage in deceptive or unfair practices.

advertisement

advertisement

"We believe the prohibition against misrepresentations about the privacy of covered information, the required disclosure and Opt-Out mechanism, and the
requirement that Turn honor mobile operating system controls, will deter future violations," the FTC said in a written response to one of the commenters. "While the Commission does not have authority to
obtain civil penalties for an initial violation under Section 5 of the FTC Act, once the order becomes final Turn will risk civil penalties of up to $40,654 per violation per day."

The deal
stems from Turn's prior use of a controversial "supercookie" technology. From 2013 through early 2015, the company allegedly tracked Verizon wireless users via headers -- 50-character alphanumeric
strings, called X-UIDHs -- that Verizon injected into all unencrypted mobile traffic.

Those headers enabled ad companies to compile profiles of users and serve them targeted ads. The X-UIDHs
also are known as “zombie” cookies, or "supercookies," because they allow ad companies to recreate cookies that users delete.

The FTC alleged in its complaint that Turn
misled consumers by implying in its privacy policy that users could control online tracking by refusing to accept cookies. Until April of 2015, Turn's privacy policy didn't mention its use of tracking
headers, according to the FTC. Instead, the company said it used cookies for tracking, and that people could control whether their browsers accepted cookies.

The FTC also alleged that Turn
incorrectly stated in its privacy policy that they could opt out of receiving tailored ads by clicking on an opt-out link. Turn said that clicking on that link would result in users receiving an
opt-out cookie that "tells our servers not to deliver tailored, anonymous ads to you that deliver high value to the sites and apps you love."

But according to the FTC, the opt-out cookie only
applied to mobile browsers, and didn't block targeted ads on mobile apps.

Verizon has used the X-UIDHs for ad targeting since 2012, but didn't disclose their existence in its privacy policy
until late 2014. Initially, Verizon didn't let its subscribers opt out of the header insertions. But in 2015, faced with pressure from lawmakers, Verizon revised its policies to allow opt-outs. The
company later narrowed the program by saying it would only send the header to Verizon companies, including AOL.

In January of 2015, researcher Jonathan Mayer reported that Turn drew on
Verizon's headers to collect data and send targeted ads to mobile users who delete their cookies.

Turn initially acknowledged Mayer's report, and defended use of the tracking
headers. “At Turn, we always use the most stable identifier available to inform our bidding and campaign execution,” Max Ochoa, Turn's former general counsel and chief privacy officer,
said in a blog post. “In the case of Verizon devices, we use the non-cookie UIDH identifier.”

He added that clearing cookies “is not a widely recognized method of
reliably expressing an opt-out preference."

Several days later, the company changed its position and stopped using the tracking headers.